Salesforce Engineering, profile picture
Uploaded bySalesforce Engineering
995 views

Fixing the Java Serialization Mess

This document discusses Java serialization vulnerabilities and mitigations. It introduces Java serialization, attack vectors like serialization gadgets and deserialization endpoints, and demonstrates denial of service attacks. It covers mitigations such as validating class names during deserialization, but notes this approach can be bypassed. It proposes a new concept of also validating methods during deserialization. The goal is to help fix issues with the Java serialization process.

Embed presentation

Fixing the Java Serialization mess Pierre Ernst, HackFest.ca 2016
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
https://goo.gl/rOpF0u Software development background Secure Code Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiring application security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
https://goo.gl/rOpF0u The Big Picture Java Serialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
https://goo.gl/rOpF0u Java Serialization 101 Convert Java instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What could possibly go wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
https://goo.gl/rOpF0u Prior Art (pre-2016) Date Type Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
https://goo.gl/rOpF0u Attack Surfaces: Endpoints Vs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u What are the “Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
https://goo.gl/rOpF0u File I/O Network I/O Code injection Denial of service … Any side effect with security impact How can magic methods be abused?
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException • java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u java.io.ObjectInputStream ois = new java.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Fixed in Java 8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
https://goo.gl/rOpF0u Tomcat JMX Retrieving all the session ids Abusing Existing Features Prior JMX vulnerabilities
https://goo.gl/rOpF0u Only vulnerable when authentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
https://goo.gl/rOpF0u How many times did you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
https://goo.gl/rOpF0u Registry registry = LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Uses serialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
https://goo.gl/rOpF0u https://docs.oracle.com/javase/8/docs/api/javax/management/remote/rmi/RMIServer.html RMIServer API Deserialization happens before authentication can even take place
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u The Blame Game Where do we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
https://goo.gl/rOpF0u In both places! Defense in Depth
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Does the class really need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u bonhomme.Carnaval obj = (bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization inside a block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
https://goo.gl/rOpF0u Mitigation: Class Name Input Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
https://goo.gl/rOpF0u Callback provided by Java Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
https://goo.gl/rOpF0u • White-listing classes that are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed in Apache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
https://goo.gl/rOpF0u
https://goo.gl/rOpF0u Introduction to Java serialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
https://goo.gl/rOpF0u Mitigation: Look-ahead Method Blacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
https://goo.gl/rOpF0u Check it out Source code with POC implementation published
https://goo.gl/rOpF0u Mitigation Putting everything together Security Manager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
https://goo.gl/rOpF0u Serialization: 1.Don’t use it 2.Class name whitelisting 3.Method blacklisting

More Related Content

PDF
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
PDF
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
byChristian Schneider
 
PDF
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
byChristopher Frohoff
 
PDF
Unit Testing with Jest
byMaayan Glikser
 
PDF
Spring framework Introduction
byAnuj Singh Rajput
 
PPT
Spring AOP
byLhouceine OUHAMZA
 
PPT
Major Java 8 features
bySanjoy Kumar Roy
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
byChristian Schneider
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
byChristian Schneider
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
byChristopher Frohoff
 
Unit Testing with Jest
byMaayan Glikser
 
Spring framework Introduction
byAnuj Singh Rajput
 
Spring AOP
byLhouceine OUHAMZA
 
Major Java 8 features
bySanjoy Kumar Roy
 

What's hot

PDF
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
PDF
PUC SE Day 2019 - SpringBoot
byJosué Neis
 
PPTX
Classes and Objects
byPrabu U
 
PPTX
Spring Boot
byJiayun Zhou
 
PDF
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
byGarage4hackers.com
 
PDF
Bastion jump hosts with Teleport
byFaelix Ltd
 
PPT
Java features
byMadishetty Prathibha
 
PDF
Apache ManifoldCF
byPiergiorgio Lucidi
 
PDF
Keycloak theme customization
byRavi Yasas
 
PDF
Microservices
byTrieu Nguyen
 
PDF
Getting started with Spring Security
byKnoldus Inc.
 
PPTX
Inside the jvm
byBenjamin Kim
 
PDF
Java Serialization Deep Dive
byMartijn Dashorst
 
PPT
Exception Handling in JAVA
bySURIT DATTA
 
PPT
Effective Spring Transaction Management
byUMA MAHESWARI
 
PDF
Java 8 Lambda Expressions
byScott Leberknight
 
KEY
Clean Code
byHendrik Ebel
 
PDF
20 most important java programming interview questions
byGradeup
 
PPTX
OCP Java (OCPJP) 8 Exam Quick Reference Card
byHari kiran G
 
PPTX
Java interface
byMd. Tanvir Hossain
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
PUC SE Day 2019 - SpringBoot
byJosué Neis
 
Classes and Objects
byPrabu U
 
Spring Boot
byJiayun Zhou
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
byGarage4hackers.com
 
Bastion jump hosts with Teleport
byFaelix Ltd
 
Java features
byMadishetty Prathibha
 
Apache ManifoldCF
byPiergiorgio Lucidi
 
Keycloak theme customization
byRavi Yasas
 
Microservices
byTrieu Nguyen
 
Getting started with Spring Security
byKnoldus Inc.
 
Inside the jvm
byBenjamin Kim
 
Java Serialization Deep Dive
byMartijn Dashorst
 
Exception Handling in JAVA
bySURIT DATTA
 
Effective Spring Transaction Management
byUMA MAHESWARI
 
Java 8 Lambda Expressions
byScott Leberknight
 
Clean Code
byHendrik Ebel
 
20 most important java programming interview questions
byGradeup
 
OCP Java (OCPJP) 8 Exam Quick Reference Card
byHari kiran G
 
Java interface
byMd. Tanvir Hossain
 

Similar to Fixing the Java Serialization Mess

PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
byCODE WHITE GmbH
 
PDF
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PDF
[Wroclaw #7] Why So Serial?
byOWASP
 
PPTX
Deserialization vulnerabilities
byGreenD0g
 
PDF
Breakfast cereal for advanced beginners
byTruptiranjan Nayak
 
PDF
Android Serialization Vulnerabilities Revisited
byPriyanka Aash
 
PPTX
Auscert 2022 - log4shell and history of Java deserialisation RCE
byDavid Jorm
 
PPTX
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byDor Tumarkin
 
PDF
SyScan 2016 - Remote code execution via Java native deserialization
byDavid Jorm
 
PPT
JavaSecure
bySangbeomKim
 
PDF
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
PDF
Abusing Java Remote Interfaces
byjuanvazquezslides
 
PDF
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
byApostolos Giannakidis
 
PDF
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
PPT
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
PDF
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
PDF
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
PDF
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byCheckmarx
 
PPTX
Java Serialization Facts and Fallacies
byRoman Elizarov
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
byCODE WHITE GmbH
 
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
[Wroclaw #7] Why So Serial?
byOWASP
 
Deserialization vulnerabilities
byGreenD0g
 
Breakfast cereal for advanced beginners
byTruptiranjan Nayak
 
Android Serialization Vulnerabilities Revisited
byPriyanka Aash
 
Auscert 2022 - log4shell and history of Java deserialisation RCE
byDavid Jorm
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byDor Tumarkin
 
SyScan 2016 - Remote code execution via Java native deserialization
byDavid Jorm
 
JavaSecure
bySangbeomKim
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
byAlex Senkevitch
 
Abusing Java Remote Interfaces
byjuanvazquezslides
 
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
byApostolos Giannakidis
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
byApostolos Giannakidis
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
bySteve Poole
 
Defending against Java Deserialization Vulnerabilities
byLuca Carettoni
 
Mitigating Java Deserialization attacks from within the JVM
byApostolos Giannakidis
 
(De)serial Killers - BSides Las Vegas & AppSec IL 2018
byCheckmarx
 
Java Serialization Facts and Fallacies
byRoman Elizarov
 

More from Salesforce Engineering

PDF
Microservices
bySalesforce Engineering
 
PPTX
Performance Tuning with XHProf
bySalesforce Engineering
 
PPTX
Scaling HBase for Big Data
bySalesforce Engineering
 
PPTX
Aspect Oriented Programming: Hidden Toolkit That You Already Have
bySalesforce Engineering
 
PPTX
Containers and Security for DevOps
bySalesforce Engineering
 
PPTX
Locker Service Ready Lightning Components With Webpack
bySalesforce Engineering
 
PDF
Koober Preduction IO Presentation
bySalesforce Engineering
 
PPTX
Monitoring @ Scale in Salesforce
bySalesforce Engineering
 
PPTX
Predictive System Performance Data Analysis
bySalesforce Engineering
 
PPTX
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
bySalesforce Engineering
 
PPTX
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
bySalesforce Engineering
 
PPTX
Hit the Trail with Trailhead
bySalesforce Engineering
 
PPTX
The Future of Hbase
bySalesforce Engineering
 
PPTX
Global State Management of Micro Services
bySalesforce Engineering
 
PPTX
Finding Security Issues Fast!
bySalesforce Engineering
 
PPTX
Apache HBase State of the Project
bySalesforce Engineering
 
PPTX
Scaling up data science applications
bySalesforce Engineering
 
PPTX
Techniques to Effectively Monitor the Performance of Customers in the Cloud
bySalesforce Engineering
 
PPTX
HBase/PHOENIX @ Scale
bySalesforce Engineering
 
PPTX
Implementing a Content Strategy Is Like Running 100 Miles
bySalesforce Engineering
 
Microservices
bySalesforce Engineering
 
Performance Tuning with XHProf
bySalesforce Engineering
 
Scaling HBase for Big Data
bySalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
bySalesforce Engineering
 
Containers and Security for DevOps
bySalesforce Engineering
 
Locker Service Ready Lightning Components With Webpack
bySalesforce Engineering
 
Koober Preduction IO Presentation
bySalesforce Engineering
 
Monitoring @ Scale in Salesforce
bySalesforce Engineering
 
Predictive System Performance Data Analysis
bySalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
bySalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
bySalesforce Engineering
 
Hit the Trail with Trailhead
bySalesforce Engineering
 
The Future of Hbase
bySalesforce Engineering
 
Global State Management of Micro Services
bySalesforce Engineering
 
Finding Security Issues Fast!
bySalesforce Engineering
 
Apache HBase State of the Project
bySalesforce Engineering
 
Scaling up data science applications
bySalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
bySalesforce Engineering
 
HBase/PHOENIX @ Scale
bySalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
bySalesforce Engineering
 

Recently uploaded

PPTX
Unit-1_Introduction to Microcontroller.pptx
bysidhantkulkarni1
 
PPTX
Unit-2_ARM MicroControllers_STM32F401.pptx
bysidhantkulkarni1
 
PPTX
Epec Engineered Technologies - Corporate Overview – 2026
byEpec Engineered Technologies
 
PDF
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
PPT
Network model of data communication subject
byhackyourdailylife
 
PDF
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
PDF
Image Compression using Machine Learning: A Hybrid DCT-Autoencoder Approach
byShahid Beheshti University,
 
PPTX
PEMET413 -COMPOSITE MATERIALS -KTU MOD 1 LECTURE 4.pptx
byVINAY B
 
PPTX
PEMET 413 COMPOSITE MATERIALS MOD1 LECTURE 3.pptx
byVINAY B
 
PPTX
PQ CHP-1 brief introduction to power quality
bySureshEtukuriE1
 
PPTX
Basics of internal combustio nengines, vapor compression cycle
byPrashantPatunkar1
 
PDF
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
PPTX
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
PPTX
MOD 1 (concrete technology -cement,aggregates .pptx
bytkmmullonkal
 
PPT
DECISION MAKING SYSTEMS Modelling and Support
byAnu S S
 
PPTX
Unit 5 Materials of plant construction.pptx
bytanvikothavale1112
 
PPTX
Lecture note on the engineering economics
byMuhammed936900
 
PPTX
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
PPTX
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
PPTX
AI-Module1..pptx module 1 Introduction to Ai
bydeekshithkumark66
 
Unit-1_Introduction to Microcontroller.pptx
bysidhantkulkarni1
 
Unit-2_ARM MicroControllers_STM32F401.pptx
bysidhantkulkarni1
 
Epec Engineered Technologies - Corporate Overview – 2026
byEpec Engineered Technologies
 
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
Network model of data communication subject
byhackyourdailylife
 
Unconventional reservoirs in petroleum engineering
byMuhammadHaris61480
 
Image Compression using Machine Learning: A Hybrid DCT-Autoencoder Approach
byShahid Beheshti University,
 
PEMET413 -COMPOSITE MATERIALS -KTU MOD 1 LECTURE 4.pptx
byVINAY B
 
PEMET 413 COMPOSITE MATERIALS MOD1 LECTURE 3.pptx
byVINAY B
 
PQ CHP-1 brief introduction to power quality
bySureshEtukuriE1
 
Basics of internal combustio nengines, vapor compression cycle
byPrashantPatunkar1
 
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
Module 1 AGGREGATES, DEFINITION, TYPES .pptx
bytkmmullonkal
 
MOD 1 (concrete technology -cement,aggregates .pptx
bytkmmullonkal
 
DECISION MAKING SYSTEMS Modelling and Support
byAnu S S
 
Unit 5 Materials of plant construction.pptx
bytanvikothavale1112
 
Lecture note on the engineering economics
byMuhammed936900
 
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
AI-Module1..pptx module 1 Introduction to Ai
bydeekshithkumark66
 

Fixing the Java Serialization Mess

  • 1.
    Fixing the JavaSerialization mess Pierre Ernst, HackFest.ca 2016
  • 2.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Agenda Fixing the Java Serialization mess
  • 3.
    https://goo.gl/rOpF0u Software development background SecureCode Review Found security vulnerabilities in applications made by: Pierre Ernst linkedin.com/in/pernst @e_rnst Source: http://www.wordle.net
  • 4.
    https://goo.gl/rOpF0u https://research.trust.salesforce.com/ Salesforce is hiringapplication security engineers for: • Enterprise Security (Vendor applications) • Product Security (Salesforce web applications) • Infrastructure Security (Salesforce network and Linux environment). Contact: James Sale, Principal Technical Recruiter jsale@salesforce.com 415-633-6059 Trust team Salesforce linkedin.com/in/jamesgsale
  • 5.
    https://goo.gl/rOpF0u The Big Picture JavaSerialization 101 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp serialize deserialize
  • 6.
    https://goo.gl/rOpF0u Java Serialization 101 ConvertJava instance to/from a binary stream • Used for persistence (file, database blob) • Used for transmission (RMI: Remote Method Invocation) Java API: • ObjectOutputStream: to serialize (write) • ObjectInputStream: to deserialize (read) • JVM knows how to (de)serialize primitive types • JVM uses reflection and Unsafe to (de)serialize members of any given class. • Must implements interface java.io.Serializable
  • 7.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 8.
    https://goo.gl/rOpF0u What could possiblygo wrong? Some classes require special handling • writeObject() and readObject() methods • e.g.: java.math.BigDecimal An application is vulnerable if: • deserializing untrusted input, • and existing classes on the classpath have “unsecure” readObject() method The readObject() methods can be chained, abused • “gadget” in reference to ROP gadgets • Similarly, some other methods can also be abused (TBD later): “Magic Methods”
  • 9.
    https://goo.gl/rOpF0u Prior Art (pre-2016) DateType Product Researcher(s) Reference Apr 2005 DOS JRE Marc Schönefeld CVE-2004-2540 Aug 2008 Applet->RCE JRE Sami Koivu CVE-2008-5353 Apr 2010 Applet->RCE JRE Sami Koivu CVE-2010-0094 Mar 2010 DOS Sun Java Web Console Luca Carettoni Source Code Sept 2011 RCE Spring Framework Wouter Coekaerts CVE-2011-2894 Oct 2012 RCE IBM Cognos BI Pierre Ernst CVE-2012-4858 Feb 2013 File Write->RCE Apache OpenJPA Pierre Ernst CVE-2013-1768 Mar 2013 File Write->RCE Apache Tomcat Pierre Ernst CVE-2013-2185 July 2015 RCE Apache Groovy "cpnrodzc7" CVE-2015-3253 Aug 2015 Buffer Overflow->RCE Android Or Peles & Roee Hay CVE-2015-3837 Nov 2015 RCE Apache Commons Collections Chris Frohoff & Gabriel Lawrence CVE-2015-7450 Nov 2015 DOS JRE Wouter Coekaerts Source Code
  • 10.
    https://goo.gl/rOpF0u Attack Surfaces: EndpointsVs. Gadgets Attacker Vulnerable Service Malicious serialized input (Vulnerable.class) JVM Deserialization (bonhomme.Carnaval. class) classpath Vulnerable bonhomme.Carnaval instance = (bonhomme.Carnaval)in.readObject(); Calls “magic” method private void readObject (ObjectInputStream in) { } 1 2
  • 11.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 12.
    https://goo.gl/rOpF0u What are the“Magic” methods? • readObject() • readResolve() • validateObject() • readObjectNoData() • readExternal() • finalize() It has a “magic” method that can be abused Class is vulnerable if: • <init>()
  • 13.
    https://goo.gl/rOpF0u File I/O Network I/O Codeinjection Denial of service … Any side effect with security impact How can magic methods be abused?
  • 14.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 15.
    https://goo.gl/rOpF0u Pervasive problem • com.sun.xml.internal.ws.protocol.xml.XMLMessageException •java.util.concurrent.CopyOnWriteArrayList • java.util.logging.LogRecord • java.util.PriorityQueue • org.apache.catalina.tribes.membership.MemberImpl Java Memory Exhaustion private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException { int len = in.readInt(); this.parameters = new Object[len]; // ... } Controlled by attacker Memory exhaustion
  • 16.
  • 17.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 18.
    https://goo.gl/rOpF0u java.io.ObjectInputStream ois = newjava.io.ObjectInputStream(/* contains user’s input */) ois.readObject(); /* OR */ ois.readUnshared(); It deserializes user’s input Endpoint is vulnerable if:
  • 19.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 20.
    https://goo.gl/rOpF0u Fixed in Java8 Update 91 (April 2016) JMX = Java Management eXtensions • API for managing/monitoring resources • Client-Server on TCP/IP • Optional features: • TLS socket • Authentication JMX untrusted deserialization CVE-2016-3427 !
  • 21.
    https://goo.gl/rOpF0u Tomcat JMX Retrieving allthe session ids Abusing Existing Features Prior JMX vulnerabilities
  • 22.
    https://goo.gl/rOpF0u Only vulnerable whenauthentication is not enabled Source: • Exploiting JMX RMI • Class MLet RCE with MLet Prior JMX vulnerabilities evil.org victim.com JMX connect createMBean javax.management.loading.MLet load evil bean invoke
  • 23.
    https://goo.gl/rOpF0u How many timesdid you read “RMI” ? • JMX connection strings is future-proof • Might use some other transport technologies in the future • But it relies on RMI for now. We can use RMI directly to connect to a JMX server a.k.a JMX “URLs” JMX Connection Strings service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi rmi://bonhomme.local:10002 rmi://bonhomme.local:10001/jmxrmi JMX endpoint Naming Registry
  • 24.
    https://goo.gl/rOpF0u Registry registry =LocateRegistry.getRegistry("bonhomme.local", 10001); RMIServer rmiServer = (RMIServer) registry.lookup("jmxrmi"); RMIConnection rmiConnection = rmiServer.newClient(new String[]{ "tomcat", "secret"}); (directly) Connecting to JMX with RMI service:jmx:rmi://bonhomme.local:10002/jndi/rmi://bonhomme.local:10001/jmxrmi
  • 25.
    https://goo.gl/rOpF0u RMI: Client-Server network protocol RPC-style Usesserialization What is RMI again? 00000000 50 AC ED 00 05 77 22 A1 F2 A2 CB 82 19 D4 02 D0 P....w"......... 00000010 70 E5 1A 00 00 01 57 52 A7 43 A2 80 01 FF FF FF p.....WR.C...... 00000020 FF F0 E0 74 EA AD 0C AE A8 75 72 00 13 5B 4C 6A ...t.....ur..[Lj 00000030 61 76 61 2E 6C 61 6E 67 2E 53 74 72 69 6E 67 3B ava.lang.String; 00000040 AD D2 56 E7 E9 1D 7B 47 02 00 00 70 78 70 00 00 ..V...{G...pxp.. 00000050 00 02 74 00 06 74 6F 6D 63 61 74 74 00 06 73 65 ..t..tomcatt..se 00000060 63 72 65 74 cret RMI Call
  • 26.
  • 27.
  • 28.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 29.
    https://goo.gl/rOpF0u The Blame Game Wheredo we fix it? “Applications should never deserialize untrusted input” 1 2 “3rd party libraries should only have secure magic methods” vs .
  • 30.
  • 31.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 32.
    https://goo.gl/rOpF0u Does the classreally need to be serializable? Can we add input validation? • Prevent path traversal • Prevent resource exhaustion • … Making “magic” methods more secure
  • 33.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 34.
    https://goo.gl/rOpF0u bonhomme.Carnaval obj =(bonhomme.Carnaval)ois.readObject(); Fix: Java API change today bonhomme.Carnaval obj = ois.readObject(bonhomme.Carnaval.class); tomorrow?
  • 35.
    https://goo.gl/rOpF0u Mitigation: Sandboxing Deserialization insidea block protected by a Security Manager Could prevent “malicious” calls • File R/W access • Process creation • Network access • … Not recommended: • Hard to fine-tune: what is legitimately required? • Known to be broken e.g. CVE-2013-4444 code inside finalize() can be abused
  • 36.
    https://goo.gl/rOpF0u Mitigation: Class NameInput Validation Look-ahead Java deserialization, Jan 2013, Pierre Ernst Concept used by various validation libraries • SerialKiller, by Luca Carettoni • contrast-rO0 by Contrast Security • JDK enhancement proposal #290 and CERT Secure Coding SER12-J We want to validate which classes get deserialized Object Serialization Stream Protocol defines a class description 00000000 AC ED 00 05 73 72 00 11 62 6F 6E 68 6F 6D 6D 65 ....sr..bonhomme 00000010 2E 43 61 72 6E 61 76 61 6C 20 51 75 65 62 65 63 .Carnaval Quebec 00000020 20 02 00 00 78 70 ...xp So we could use our own binary parser to decide whether we should stop reading … … or use existing Java API that allows us to add our own validation hook. TC_NULL STREAM_MAGICSTREAM_VERSIONTC_OBJECTTC_CLASSDESC className serialVersionUID classDescFlagsfieldsTC_ENDBLOCKDATA className
  • 37.
    https://goo.gl/rOpF0u Callback provided byJava Normally used for custom class loading Adding your own validation hook Look-ahead Java deserialization public class LookAheadObjectInputStream extends ObjectInputStream { @Override protected Class<?> resolveClass(ObjectStreamClass desc) { if ( ! desc.getName().equals("bonhomme.Carnaval") ) { throw new InvalidClassException( "Unauthorized deserialization attempt", desc.getName()); } return super.resolveClass(desc); } }
  • 38.
    https://goo.gl/rOpF0u • White-listing classesthat are OK to deserialize • Tedious, Impossible in real life scenario? • Black-listing classes known to have “bad” “magic” methods • a.k.a. Whack-a-mole • Known to be broken RSA conference 2016-03-04 Alvaro Muñoz Christian Schneider Two ways of validating class names Look-ahead Java deserialization public class NestedProblems implements Serializable{ private void readObject(ObjectInputStream in) { ObjectInputStream ois = new ObjectInputStream( /* attacker controlled input */); ois.readObject(); } }
  • 39.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 40.
    https://goo.gl/rOpF0u org.apache.webbeans.inject.impl.InjectionPointImpl org.apache.webbeans.inject.instance.InstanceImpl org.apache.webbeans.event.EventImpl • Fixed inApache TomEE 7.0.1 (June 2016) • Fixed in Apache OpenWebBeans 1.5.0 (October 2015) Only an issue if using the black list mode Black List mode Class Name Input Validation Bypass new
  • 41.
  • 42.
    https://goo.gl/rOpF0u Introduction to Javaserialization Attack vectors Serialization Gadgets • Demo: Denial of Service Deserialization endpoints • Demo: JMX (CVE-2016-3427) Mitigation • Against Serialization Gadgets • Against Deserialization endpoints • Demo: Bypassing Apache TomEE look-ahead class name blacklist • New concept: Look-ahead method blacklist Fixing the Java Serialization mess
  • 43.
    https://goo.gl/rOpF0u Mitigation: Look-ahead MethodBlacklist Input Validation Black List • method1 • method2 Magic methods? Class x.y.z accept reject blacklisted methods? yes yes no no Called methods • methodA • methodB Analyze Magic method
  • 44.
    https://goo.gl/rOpF0u Check it out Sourcecode with POC implementation published
  • 45.
    https://goo.gl/rOpF0u Mitigation Putting everything together SecurityManager Look-ahead Class name validation • Whitelisting • Blacklisting Look-ahead Method blacklisting P !
  • 46.

Editor's Notes

  • #6 AC ED 00 05: Remember this
  • #9 Root cause is *NOT* weak boundary between data & code Magic methods not always present
  • #11 Successful exploitation requires both attack surfaces
  • #16 The attacker can control anything that has been read from the stream, or any member that has been deserialized with the default behavior
  • #26 It would be nice if we could send something else than String[]…
  • #28 Vulnerable even if authentication is enabled (happens before) Tomcat used as an example
  • #35 New Argument: Class or Class[]
  • #36 Strongly encourage to stop using deserialization altogether
  • #44 For lack of a better name…
  • #46 Security Manager is not enough, but it still adds value